Shoe store Manfield may not oblige an employee to use an authorization system for its checkout system that works on the basis of a finger scan. The Amsterdam District Court ruled that such an obligation violates the General Data Protection Regulation ("AVG").
Manfield recently implemented an authorization system for its checkout system in all branches that works on the basis of a finger scan. By using the finger scan authorization system, Manfield employees can only access the checkout system if they scan their fingerprint. Without this access, it is not possible for employees to perform their checkout duties. The finger scan authorization was introduced to replace an authorization system in which Manfield employees must enter a personalized numeric code to access the checkout system.
One of Manfield's employees opposed the use of her fingerprint for the authorization system. She argues that this authorization method violates her privacy rights because it involves biometric personal data and Article 9(1) of the AVG prohibits in principle the processing of special personal data, including biometric data. The exception to this prohibition, namely that the collection of biometric data may be necessary for authentication or security purposes does not occur here, according to her.
According to Manfield, a necessity in using a finger scan authorization system is to secure sensitive information that can be accessed through its POS system. The POS system not only gives access to (sensitive) financial information, but also to personal data of Manfield employees. Also, customers' personal data are insightful. Manfield also argues that it has a business interest in implementing the system. Manfield has previously faced a number of cases of fraud involving employees.
A fingerprint qualifies as a biometric personal data under the AVG. Biometric personal data are personal data resulting from a specific technical processing of physical, physiological or behavioral characteristics of a person. On this basis, unambiguous identification of that person is possible. Or his/her identity is confirmed. Therefore, iris or retina scan, voice recognition and facial scan are also biometric data.
The AVG provides that the processing of biometric personal data is a processing of special personal data. According to the AVG, the processing of biometric data to identify a person is in principle prohibited. The Netherlands has established additional conditions in this regard in the UAVG. The ban on processing biometric data does not apply in the Netherlands if the processing is necessary for authentication or security purposes.
An employer may only ask an employee for a fingerprint if it is necessary. The employer must therefore consider in advance whether identification with biometric data is necessary. This means that the employer must consider whether buildings and/or information systems need to be secured so well that this cannot be done other than by using biometric data. The employer must not be able to achieve the goal, e.g. access control, in any other, less invasive way. A way that is less invasive for employee privacy, such as using an access card. Only if your employer cannot achieve the goal in any other way is there a necessity.
If there is no need for the employer to do so, then it may also not instead seek the employee's consent to still process the fingerprint. The Autoriteit Persoonsgegevens believes that an employee cannot freely give his consent in that context. The employee is dependent on his employee, and not in a position to refuse.
The judge ruled that Manfield's business interest of combating fraud did not qualify as "necessary for authentication or security purposes." The court also finds that Manfield did not sufficiently investigate possible alternatives such as access card, employee card and/or numerical codes, whether or not in combination. In any case, Manfield did not substantiate, for example by means of documents, weighing pros and cons of different systems, why it chose the finger scan authorization system.
The processing of biometric data is subject to strict(er) requirements under the AVG. Thereby, the performance of a data protection impact assessment ("DPIA", also called privacy impact assessment) is mandatory in case of large-scale processing and/or systematic monitoring of biometric data with the purpose of identifying a natural person. A DPIA is a tool to identify in advance the privacy risks of a data processing operation. And then to be able to take measures to reduce the risks. As part of the DPIA, the analysis into the necessity of processing biometric data should be well and concretely elaborated.
This article can also be found in the AVG file
